[jcifs] Re: Authentication via SmbSession.logon
Michael B Allen
mba2000 at ioplex.com
Fri Apr 15 18:06:57 GMT 2005
On Fri, 15 Apr 2005 08:06:12 +0000 (UTC)
Esteve Boix <esteveb at gmail.com> wrote:
>
> > But I think I see the problem. The AccountName field has MACH\name which
> > leads me to believe you are using
> > smb://MACH\\name:password <at> server/share/path/. The account name
> > cannot have a backslash in it. That is not a valid character in a URL.
> > The 'MACH' part is the domain.
>
> You are absolutely and completely right. Problem solved.
>
> Now I'm using NtlmPasswordAuthentication, but I guess it's as safe as
> using the URL, since the password travels also through the network
No, the password is never transmitted in plain text [1]. The issue is
that URLs are frequently visible to application users, within logfiles,
in exceptions, etc. It is better to hide the password in the NPA. Of
course it has to come from somewhere but at least you can isolate it in
a file or enter it once using a dialog.
In 2.0 we hope to convert entirely over to Kerberos which is a little
better about this problem - once the user runs kinit the ticket is cached.
For daemons one can use renewable tickets. Etc.
Mike
[1] unless you set disablePlainTextPasswords=false
--
IRC - where men are men, women are men, and the boys are FBI agents.
More information about the jcifs
mailing list